b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   Using SmartID Cards to Access Computer\n                   Systems Is Taking Longer Than Expected\n\n\n\n                                      September 28, 2012\n\n                              Reference Number: 2012-20-115\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.tigta.gov\n\x0c                                                HIGHLIGHTS\n\nUSING SMARTID CARDS TO ACCESS                       two-factor authentication component. This\nCOMPUTER SYSTEMS IS TAKING                          decision led to numerous issues. The project\nLONGER THAN EXPECTED                                team did not make adequate progress in some\n                                                    crucial areas such as developing two-factor\n                                                    authentication for computer administrators,\nHighlights                                          conducting required testing, and completing key\n                                                    documents and processes.\nFinal Report issued on                              WHAT TIGTA RECOMMENDED\nSeptember 28, 2012\n                                                    TIGTA recommended that the Chief Technology\nHighlights of Reference Number: 2012-20-115         Officer direct IRS Labor Relations to notify the\nto the Internal Revenue Service Chief               National Treasury Employees Union and begin\nTechnology Officer.                                 negotiating mandatory use of the SmartID cards.\n                                                    TIGTA also recommended that the Assistant\nIMPACT ON TAXPAYERS                                 Chief Information Officer, Cybersecurity, appoint\n                                                    a certified project manager with the requisite\nThe President\xe2\x80\x99s Cyberspace Policy emphasized        training and experience to lead the Internal\nthat agencies need to use SmartID cards to          Identity and Access Management project and\naccess computer systems. The IRS\xe2\x80\x99s efforts to       direct the project manager to ensure the\nupgrade its systems to use the SmartID cards        required security control assessment is\nare taking longer than expected. Upgrading the      completed, select a method to implement\nsecurity of computer systems is important to        two-factor authentication for administrators,\nprevent disruptions in critical IRS processes and   coordinate the activities to ensure all required\nto protect taxpayers\xe2\x80\x99 personal information from     testing is completed, and complete the required\nunauthorized access.                                documents and processes that are needed to\nWHY TIGTA DID THE AUDIT                             fully test and evaluate the system.\n\nThis audit was initiated to evaluate the            The IRS agreed with seven of the\nimplementation and security of the IRS\xe2\x80\x99s            recommendations and plans to bargain with the\ntwo-factor authentication system for accessing      National Treasury Employees Union as\ncomputer systems. Two-factor authentication is      appropriate on mandatory use of the SmartID\na secure approach to verifying employees\xe2\x80\x99           Cards, appoint a certified project manager and\nidentities on a system and requires the             provide adequate resources to the project, and\npresentation of two identifying factors:            assign project resources to determine if a viable\nsomething the user knows (a personal                solution for administrators\xe2\x80\x99 use of SmartID cards\nidentification number) and something the user       exists. The IRS disagreed with two\nhas (a SmartID card). Two-factor authentication     recommendations regarding the required testing\nprovides significant improvement in computer        of the new system and stated that testing was\nsecurity in terms of allowing access to systems.    completed in accordance with its procedures\n                                                    and additional testing is not necessary.\nWHAT TIGTA FOUND\n                                                    TIGTA remains concerned about the IRS\xe2\x80\x99s\nThe IRS developed a two-factor authentication       disagreement on the issue of testing. The IRS\nsystem with the required components.                did not conduct the required testing for the most\nHowever, significant delays prevented the IRS       significant part of the two-factor authentication\nfrom deploying the new two-factor authentication    system, which is the part employees will use to\nsystem as originally planned. The IRS originally    authenticate to the IRS network. TIGTA found\nplanned to complete the deployment by               no evidence that the security, integration,\nSeptember 2011. The deployment is now               capacity, and performance testing were\nplanned to be completed by July 2013.               conducted for this crucial part of the system.\nIn addition, the IRS did not appoint a project\nmanager with the requisite training and\nexperience to lead the Internal Identity and\nAccess Management project, which included the\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 28, 2012\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Using SmartID Cards to Access Computer\n                             Systems Is Taking Longer Than Expected (Audit # 201120011)\n\n This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s efforts to\n implement the use of SmartID card access for computer systems. This audit is included in our\n Fiscal Year 2012 Annual Audit Plan and addresses the major management challenge of Security\n for Taxpayer Data and Employees.\n Management\xe2\x80\x99s complete response to the draft report is included in Appendix VIII. The response\n details the Internal Revenue Service\xe2\x80\x99s disagreement with two recommendations and indicates the\n required testing was not conducted prior to deploying the two-factor authentication system using\n SmartID cards. In addition, responses to other recommendations indicate this project is not\n being given sufficient priority. Because we believe the Internal Revenue Service\xe2\x80\x99s\n disagreements to our findings and recommendations are significant, we plan to elevate our\n concerns to the Department of the Treasury. We request that the IRS Commissioner submit a\n written reply to the Assistant Secretary for Management and Chief Financial Officer of the\n Department of the Treasury within 30 calendar days of the final report issuance date.\n Copies of this report are also being sent to the Internal Revenue Service Managers affected by\n the report recommendations. Please contact me at (202) 622-6510 if you have questions or\n Alan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\n Services), at (202) 622-5894.\n\x0c                                         Using SmartID Cards to Access\n                                Computer Systems Is Taking Longer Than Expected\n\n\n\n\n                                             Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          The Internal Revenue Service Developed a Two-Factor\n          Authentication System With the Required Components .............................. Page 4\n          The Internal Identity and Access Management Project\n          Encountered Significant Delays .................................................................... Page 5\n          A Project Manager Was Not Appointed to Manage the\n          Internal Identity and Access Management Project ....................................... Page 7\n          Use of SmartID Cards Will Be Further Delayed .......................................... Page 7\n                    Recommendation 1:........................................................ Page 10\n\n                    Recommendations 2 through 4:......................................... Page 11\n\n                    Recommendation 5:........................................................ Page 12\n\n          Required Testing Was Not Conducted ......................................................... Page 12\n          Key Enterprise Life Cycle Artifacts and Processes Were\n          Not Completed .............................................................................................. Page 14\n                    Recommendations 6 through 8:......................................... Page 18\n\n                    Recommendation 9:........................................................ Page 19\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 20\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 23\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 24\n          Appendix IV \xe2\x80\x93 Authentication to Network Diagram .................................... Page 25\n          Appendix V \xe2\x80\x93 Diagram of Oracle Enterprise Single Sign-On\n          Manager Software ......................................................................................... Page 26\n\x0c                              Using SmartID Cards to Access\n                     Computer Systems Is Taking Longer Than Expected\n\n\n\nAppendix VI \xe2\x80\x93 Delays in Implementing Reduced SmartID\nSign-On (RSSO) .......................................................................................... Page 27\nAppendix VII \xe2\x80\x93 Glossary of Terms .............................................................. Page 28\nAppendix VIII \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ................... Page 34\n\x0c                Using SmartID Cards to Access\n       Computer Systems Is Taking Longer Than Expected\n\n\n\n\n                  Abbreviations\n\nELC        Enterprise Life Cycle\nESSO       Enterprise Single Sign-On Manager\nFY         Fiscal Year\nHSPD       Homeland Security Presidential Directive\nIIAM       Internal Identity and Access Management\nIRS        Internal Revenue Service\nMRR        Milestone Readiness Review\nOMB        Office of Management and Budget\nPIV        Personal Identity Verification\nRSSO       Reduced SmartID Sign-On\n\x0c                                   Using SmartID Cards to Access\n                          Computer Systems Is Taking Longer Than Expected\n\n\n\n\n                                           Background\n\nOn August 27, 2004, President Bush signed Homeland Security Presidential Directive-12\n(HSPD-12), Policy for a Common Identification Standard for Federal Employees and\nContractors. This directive established a new standard for issuing and maintaining identification\nbadges for Federal employees and contractors entering Government facilities and accessing\ncomputer systems.1 The intent was to improve security, increase Government efficiency, reduce\nidentity fraud, and protect personal privacy. Agencies are required to use Personal Identity\nVerification (PIV) badges (also referred to as SmartID cards) to access computer systems\n(logical access).\nOver the past five years, the HSPD-12 mandate has been emphasized continuously.\n    \xef\x82\xb7   The Department of the Treasury (hereafter called the Treasury Department) issued\n        Treasury Directive 85-01, Treasury Information Technology Security Program,2\n        establishing Security Enhanced Controls 14 and 15. Security Enhanced Control 14\n        mandates two-factor authentication for access to all administrator accounts and Security\n        Enhanced Control 15 requires bureaus to design authentication methods with HSPD-12\n        credentials for access to all systems.\n    \xef\x82\xb7   The President\xe2\x80\x99s Cyberspace Policy Review, issued in May 2009, and the President\xe2\x80\x99s\n        budget for Fiscal Year (FY) 2011 highlighted the importance of identity management in\n        protecting the Nation\xe2\x80\x99s infrastructure.\n    \xef\x82\xb7   The Office of Management and Budget (OMB), in February 2011, emphasized the\n        continued implementation of HSPD-12 by requiring that SmartID cards be used as the\n        common means of authentication for access to the agency\xe2\x80\x99s facilities, networks, and\n        information systems.3 The OMB also required agencies to follow specific technical\n        standards and business processes for the issuance and routine use of the SmartID cards.\n    \xef\x82\xb7   In the same OMB February 2011 memorandum, the Department of Homeland Security\n        required agencies to develop an implementation plan to expedite the full use of the\n        SmartID cards as the common means of authentication for access to networks and\n        information systems. Effective at the beginning of FY 2012, existing logical access\n        control systems must be upgraded to use SmartID cards prior to the agency using\n        development and technology funds to complete other activities.\n\n1\n  See Appendix VII for a glossary of terms used throughout this report.\n2\n  Department of the Treasury, Treasury Directive Publication 85-01 (Rev. 2.2), Treasury Information Technology\nSecurity Program (Nov. 2006, includes updates as of March 1, 2012).\n3\n  OMB, Memorandum 11-11, Continued Implementation of Homeland Security Presidential Directive (HSPD) 12 \xe2\x80\x93\nPolicy for a Common Identification Standard for Federal Employees and Contractors (Feb. 2011).\n\n                                                                                                       Page 1\n\x0c                                Using SmartID Cards to Access\n                       Computer Systems Is Taking Longer Than Expected\n\n\n\nThe Internal Revenue Service (IRS) is addressing the logical access portion of the HSPD-12\nmandate and Treasury Department\xe2\x80\x99s two-factor authentication directive through its Internal\nIdentity and Access Management (IIAM) program. Phase 2 of this program (hereafter called the\nIIAM project) includes designing, developing, and deploying the capability of employees to use\nSmartID cards to authenticate to:\n   \xef\x82\xb7   The Windows\xc2\xae network.\n   \xef\x82\xb7   Administrator accounts, which provide elevated access privileges.\n   \xef\x82\xb7   The IRS\xe2\x80\x99s virtual private network, known as the Enterprise Remote Access Project,\n       which is used by employees working in remote locations. The grid cards currently used\n       to authenticate to this virtual private network must be replaced with SmartID cards.\n   \xef\x82\xb7   Mainframe systems.\nThe IRS plans for 50,000 employees to use their SmartID card for logical access by the end of\nDecember 2012.\nSystem security will be significantly improved at the IRS once employees are using SmartID\ncards for logical access. Users will insert their SmartID card into a card reader connected to the\ncomputer or into a built-in card reader slot that is present on some computers and, when\nprompted, type in their personal identification number. The software on the computer verifies\nthe SmartID card and personal identification number by communicating with a database located\nat the Treasury Department\xe2\x80\x99s Bureau of the Public Debt. See Appendix IV for a diagram of the\nauthentication system the IRS developed to use SmartID cards for logging on to the network.\nThe scope of the IIAM project also includes deployment of the Oracle Enterprise Single Sign-On\nManager (Oracle ESSO) software to computer workstations and laptop computers. This\ncommercial off-the-shelf software is intended to provide a short-term solution to further reduce\nthe use of passwords when accessing IRS applications. However, IIAM project officials\ninformed us that this software is not the long-term solution for authenticating employees to IRS\napplications. See Appendix V for a diagram of how the Oracle ESSO operates. IIAM project\nofficials report to the IRS\xe2\x80\x99s Security Services and Privacy Executive Steering Committee, which\nprovides oversight and approves the project\xe2\x80\x99s Enterprise Life Cycle (ELC) Milestone Exit\nReviews.\nThis review was focused on the IRS\xe2\x80\x99s efforts to implement two-factor authentication for its\nnetwork using SmartID cards. We performed the review in the offices of the Information\nTechnology organization in New Carrollton, Maryland, and Martinsburg, West Virginia, from\nJanuary through June 2012. We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\n\n                                                                                            Page 2\n\x0c                               Using SmartID Cards to Access\n                      Computer Systems Is Taking Longer Than Expected\n\n\n\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                       Page 3\n\x0c                                   Using SmartID Cards to Access\n                          Computer Systems Is Taking Longer Than Expected\n\n\n\n\n                                    Results of Review\n\nThe Internal Revenue Service Developed a Two-Factor Authentication\nSystem With the Required Components\nImplementation policies were updated \xe2\x80\x93 The IRS updated its implementation policies consistent\nwith the Treasury Department and Department of Homeland Security directives. These policies\nare intended to help the IRS expedite the use of SmartID cards for logical access and to comply\nwith Federal mandates. The IRS made the following updates to its policies:\n    \xef\x82\xb7   Effective the beginning of Fiscal Year 2012, existing physical and logical access control\n        systems must be upgraded to use PIV credentials, in accordance with National Institute of\n        Standards and Technology guidelines, prior to the agency using technology refresh funds\n        to complete other activities.\n    \xef\x82\xb7   Procurements for services and products involving facility or system access control must\n        be in accordance with HSPD-12 policy and the Federal Acquisition Regulations. In order\n        to ensure Government-wide interoperability, OMB Memorandum 06-18, Acquisition of\n        Products and Services for Implementation of HSPD-12, dated June 6, 2006, requires\n        agencies to acquire products and services that are approved as compliant with Federal\n        policy, standards, and supporting technical specifications.\n    \xef\x82\xb7   Effective immediately, all new systems under development must be enabled to use PIV\n        credentials, in accordance with National Institute of Standards and Technology\n        guidelines, prior to being made operational.\n    \xef\x82\xb7   Agency processes must accept and electronically verify PIV credentials issued by other\n        Federal agencies.\n    \xef\x82\xb7   The Government-wide architecture and completion of agency transition plans must align\n        as described in the Federal Chief Information Officer Council\xe2\x80\x99s Federal Identity,\n        Credential, and Access Management Roadmap and Implementation Guidance, dated\n        November 10, 2009.\nThe two-factor authentication system included the required components \xe2\x80\x93 The IRS\xe2\x80\x99s\ntwo-factor authentication system includes the three main components required by Federal\nInformation Processing Standard Publication 201.4 These components include:\n\n\n4\n National Institute of Standards and Technology, FIPS PUB 201-1, Federal Information Processing Standards\nPublication: Personal Identity Verification of Federal Employees and Contractors (Mar. 2006).\n\n                                                                                                      Page 4\n\x0c                                Using SmartID Cards to Access\n                       Computer Systems Is Taking Longer Than Expected\n\n\n\n   \xef\x82\xb7   PIV Front-End Subsystem \xe2\x80\x93 PIV cards, card readers, and personal identification number\n       input devices. The PIV cardholder interacts with these components to gain logical access\n       to the desired Federal resource.\n   \xef\x82\xb7   PIV Card Issuance and Management Subsystem \xe2\x80\x93 the components responsible for\n       identity proofing and registration, card and key issuance and management, and various\n       repositories and services required as part of the verification infrastructure.\n   \xef\x82\xb7   Access Control Subsystem \xe2\x80\x93 the logical access control systems, the protected resources,\n       and the authorization data.\nThe IRS acquired products that are compliant with technical specifications\n   \xef\x82\xb7   The ActivClient middleware used to read the SmartID cards is certified by the National\n       Institute of Standards and Technology.\n   \xef\x82\xb7   The Oracle ESSO software is an approved product in the IRS Enterprise Architecture.\n   \xef\x82\xb7   The external card readers purchased to read the SmartID cards are personal\n       computer/SmartID card certified.\nThe combination of the card readers and the ActivClient middleware enables users to\nauthenticate to the network using their SmartID cards.\nAs previously stated, the Oracle ESSO software is an interim solution until a more significant\nchange to the IRS\xe2\x80\x99s infrastructure can be implemented. The software is not certified by the\nNational Institute of Standards and Technology and does not reduce the number of identity stores\nat the IRS. The IRS\xe2\x80\x99s final solution will reduce the number of identity stores and allow system\nadministrators to efficiently add and remove users\xe2\x80\x99 access to applications. Reducing the number\nof identity stores the IRS has will also reduce the risk of unauthorized access to systems.\n\nThe Internal Identity and Access Management Project Encountered\nSignificant Delays\nThe IRS is 22 months behind its original planned completion date for implementing the new\ntwo-factor authentication system and enabling all employees to use SmartID cards for logical\naccess. The original completion date was September 30, 2011, but the IRS now expects to fully\ncomplete the implementation by July 26, 2013. The following delays prevented the IRS from\nimplementing the IIAM project on time. See Appendix VI for a timeline of these delays.\nThe encryption requirements changed \xe2\x80\x93 The IRS successfully upgraded the level of encryption\nfor the certificates on the SmartID cards from secure hash algorythym-1 to secure hash\nalgorythum-256 to meet the requirements recommended by the National Institute of Standards\n\n\n\n\n                                                                                         Page 5\n\x0c                                    Using SmartID Cards to Access\n                           Computer Systems Is Taking Longer Than Expected\n\n\n\nand Technology.5 The IRS initially believed it could not support the stronger encryption\nstandards and would be forced to upgrade its Windows XP operating system on all computer\nworkstations. However, the IRS coordinated with the Microsoft Corporation to obtain a service\npatch that made the operating system compatible with the new encryption standard.\nThe Oracle Corporation acquired Passlogix \xe2\x80\x93 When the IRS originally procured the Oracle\nESSO software in August 2010, this software was named v-GO SSO and was owned by a\ncompany named Passlogix. In October 2010, the Oracle Corporation purchased Passlogix and\nrebranded the software to reflect the new owner. This change caused problems in the software,\nand it ceased to function as intended. The IRS\xe2\x80\x99s reliance on the Oracle Corporation to address\nthese issues took a considerable amount of time and caused additional delays.\nNegotiations with the National Treasury Employees Union \xe2\x80\x93 The IRS is required to negotiate\nwith the National Treasury Employees Union when the IRS initiates changes to employees\xe2\x80\x99\nworking conditions. Negotiations with the Union to implement the IIAM project took longer\nthan expected due to three issues.\n    1. Discipline \xe2\x80\x93 Managing employees who repeatedly lose their SmartID card, who are\n       repeatedly locked out of their accounts, and who gain inappropriate access to the\n       network.\n    2. Communication Packet \xe2\x80\x93 Issuing a \xe2\x80\x9ccommunication packet\xe2\x80\x9d to employees with\n       instructions on how to use the Reduced SmartID Sign-On capability (RSSO).6 The\n       packet must be issued to all affected employees no less than five workdays before\n       implementation.\n    3. Unauthorized Access \xe2\x80\x93 Adding the following statement to the Memorandum of\n       Understanding that was signed by the IRS and the Union: \xe2\x80\x9cBargaining unit employees\n       will not be held responsible and/or disciplined if an employee\xe2\x80\x99s Reduced SmartID\n       Sign-On system accesses an unauthorized system and/or network through no fault of the\n       bargaining unit employee.\xe2\x80\x9d\nFiling Season Moratorium \xe2\x80\x93 Every year a filing season moratorium is put into place at the IRS\nto stabilize its production environments during peak processing times. During the moratorium,\nno changes to the production environment are allowed to be implemented without executive\napproval, and the IIAM project did not have this approval. In FY 2011, the moratorium was in\neffect from November 30, 2010, through May 23, 2011, and in FY 2012, from November 1,\n2011, through May 21, 2012.\nThe Customer Account Data Engine, version 2, was a higher priority \xe2\x80\x93 On October 14, 2011,\nthe IRS Information Technology organization\xe2\x80\x99s Enterprise Operations function requested that the\n5\n  National Institute of Standards and Technology, NIST Special Publication 800-78-3, Cryptographic Algorithms\nand Key Sizes for Personal Identity Verification (Dec. 2010).\n6\n  The Reduced SmartID Sign-On is a significant part of the IIAM project and provides two separate yet related\nfunctions: 1) the capability to logon to the IRS network and 2) the capability to use the Oracle ESSO software.\n\n                                                                                                          Page 6\n\x0c                                Using SmartID Cards to Access\n                       Computer Systems Is Taking Longer Than Expected\n\n\n\nIIAM project delay its deployment of the RSSO until May 2012. This request was due to the\nEnterprise Operations function\xe2\x80\x99s responsibility for ensuring the IRS Customer Account Data\nEngine 2 would operate as intended during the filing season. The Customer Account Data\nEngine 2 was a top priority, and the Enterprise Operations function could not afford for their\ncomputers to be inoperable due to any RSSO deployment issues. If the Customer Account Data\nEngine 2 went offline, returns could not be processed timely, and this was a risk that the\nEnterprise Operations function was not willing to take.\nThe cumulative effect of these delays resulted in the IRS acquiring software licenses that were\nnot used. The IRS bought 95,000 ActivClient licenses, totaling $1,077,300, for use during the\nperiod August 31, 2010, through August 30, 2011. In addition, 95,000 licenses for the Oracle\nESSO software were purchased for use during this same period for $1,452,550. The licenses\nwere never used because the IRS did not begin deploying the software until May 2012.\nThe IRS bought the software licenses in August 2010 in the event the RSSO deployment could\nbegin as originally planned in December 2010. Also, IIAM project officials wanted to use\nFY 2010 funds that were available at that time but might not be available in subsequent years.\n\nA Project Manager Was Not Appointed to Manage the Internal Identity\nand Access Management Project\nMany of the issues presented in the remaining sections of this report are due to the lack of a\nproject manager with the requisite training and experience to manage the IIAM project. The\nIIAM project started in Calendar Year 2009 and was led by the Information Technology\norganization\xe2\x80\x99s Enterprise Services function. The Enterprise Services function did not have\nstaffing resources to assign a project manager. After the project team completed its milestone\nexits in December 2010, the team members were reassigned to other projects, and leadership was\nassigned to the Information Technology organization\xe2\x80\x99s Cybersecurity office. At the end of our\nfieldwork in July 2012, a project manager had not been appointed to lead the numerous complex\nIIAM activities. A project manager was needed to: 1) oversee the progress in developing\ntwo-factor authentication for administrators, applications, and the virtual private network;\n2) ensure the required testing was performed; and 3) ensure ELC artifacts and review processes\nrequired in the project\xe2\x80\x99s tailoring plan were properly completed.\n\nUse of SmartID Cards Will Be Further Delayed\nThe use of SmartID cards for two-factor authentication will continue to experience delays due to\nthe following reasons.\n\nThe IRS cannot require employees to use their SmartID cards for logical access\nThe IRS cannot require its employees to use their SmartID cards for logical access to the\nnetwork because it did not negotiate mandatory use of the cards with the National Treasury\n\n                                                                                           Page 7\n\x0c                                   Using SmartID Cards to Access\n                          Computer Systems Is Taking Longer Than Expected\n\n\n\nEmployees Union. The Memorandum of Understanding signed by the IRS and the Union in\nOctober 2011 invites employees to use their SmartID cards on a voluntary basis. In addition, the\nIRS does not have a time period in place when it expects to mandate the use of the cards, nor has\nit begun negotiations with the Union to require usage.\nThe IRS\xe2\x80\x99s Information Technology organization directed the Labor Relations office not to\nnegotiate mandatory use of the SmartID cards with the National Treasury Employees Union due\nto several reasons, such as the logistical problems some employees will face if they need to\nreplace their damaged or lost SmartID card. Some employees work in close proximity to a\nSmartID card credentialing station, which facilitates a relatively easy card replacement process,\nwhile other employees work in remote offices. The Union did not want some employees to be\nrequired to use their SmartID cards while others are not required.\nIn a January 2011 memorandum to the Treasury Department, the OMB cited the department\xe2\x80\x99s\nlack of progress in using the SmartID cards to access computer systems. The OMB approved7\nfunding for the Treasury Department\xe2\x80\x99s information technology development, modernization, and\nenhancement initiatives based on the completion of three goals related to SmartID card usage:\n    \xef\x82\xb7   25 percent of SmartID cardholders must be using the cards for logical access to the\n        network by the end of FY 2011.\n    \xef\x82\xb7   50 percent of SmartID cardholders must be using the cards by the end of FY 2012.\n    \xef\x82\xb7   100 percent of SmartID cardholders must be using the cards by the end of FY 2013.\nThe OMB approved development, modernization, and enhancement funding for activities only\nthrough FY 2012 and noted that, based on successful completion of the above goals, it would\nevaluate the appropriateness of funding for FY 2013 and beyond. The Treasury Department\nestablished the OMB\xe2\x80\x99s FY 2012 usage goal for the IRS.\nConsidering that the previous negotiations with the Union lasted approximately two years, the\nnext round of negotiations to mandate use of the SmartID cards could take just as long or longer,\nwhich would further delay employees using their cards. Many employees could choose to\ncontinue using their passwords. The delays would postpone the security enhancements of\ntwo-factor authentication and could affect information technology funding due to not meeting the\nOMB SmartID card usage goals.\n\n\n\n\n7\n Department of the Treasury, Treasury Improvement Plan for Treasury Enterprise Identity, Credential and\nManagement Investment (Jan. 2011).\n\n                                                                                                          Page 8\n\x0c                                  Using SmartID Cards to Access\n                         Computer Systems Is Taking Longer Than Expected\n\n\n\nInadequate progress implementing two-factor authentication for administrators\nThe Federal Identity and Credential Access Management Roadmap8 requires agencies to ensure\ncomputer users authenticate to computer resources using one SmartID card. It also advises that\nif using the SmartID cards for administrator accounts is not technically feasible, agencies could\nuse another method in the interim but should not stand up a new alternative credential\ninfrastructure if one is not already in place.\nThe General Services Administration, which creates and issues the SmartID cards, established a\nlimit of one identity on each SmartID card and one card per person. However, the policy\nconflicts with the IRS Cybersecurity office\xe2\x80\x99s policy that requires a separate identity to perform\nadministrator services on computer systems. Computer administrators at the IRS are issued two\nidentities, one for end-user access and another for their elevated administrator access.\nThe conflicting policies and the IIAM project\xe2\x80\x99s focus on other project initiatives hindered the\nIRS from making progress in this crucial area. When the IRS began the RSSO deployment in\nMay 2012, none of the computer administrators had the capability to use their SmartID cards for\nlogical access. The lack of progress is significant because administrator accounts have the most\nelevated privileges on computer systems. Unauthorized access to these accounts could allow\nmalicious users to cause significant damage and disruption.\n\nInadequate progress has been made to enable the use of SmartID cards for\nauthentication to applications\nIRS employees access approximately 1,900 internal applications. However, the IRS informed us\nthat only 12 applications have been enabled to use a PIV authentication service. The term\n\xe2\x80\x9cPIV-enabled\xe2\x80\x9d refers to an application authenticating a user with the credentials on the user\xe2\x80\x99s\nSmartID card and a personal identification number, without requiring the user to type in a\npassword. The Oracle ESSO software does not meet the above requirement because it simply\nremembers and automatically provides the password to some applications. The Oracle ESSO\nsoftware does not reduce use of passwords to authenticate to the applications. Furthermore, the\nOracle ESSO does not reduce the number of identity stores, which is a key security goal of\nPIV-enabling applications.\nTo meet the Department of Homeland Security\xe2\x80\x99s directive to expedite the use of SmartID cards\nfor logical access, the Treasury Department9 defined its interpretation of this requirement as it\nrelates to accessing applications.\n\n\n\n8\n  Identity, Credential, and Access Management Subcommittee, Federal Identity, Credential, and Access\nManagement (FICAM) Roadmap and Implementation Guide (Ver. 2) (Dec. 2011); issued under the auspices of the\nFederal Chief Information Officers Council and at the request of the Federal Enterprise Architecture.\n9\n  Department of the Treasury, Department of the Treasury Interpretation on Personal Identity Verification\nEnablement of Logical Access Control Systems (Nov. 2011).\n\n                                                                                                    Page 9\n\x0c                                Using SmartID Cards to Access\n                       Computer Systems Is Taking Longer Than Expected\n\n\n\n       The Department considers an application to be PIV-enabled if: it directly\n       validates the user\xe2\x80\x99s PIV Authentication Certificate; or relies upon a PIV-enabled\n       authentication service. To enhance the usability of our PIV-enabled applications,\n       the Department is pursuing industry standard role-based access control systems\n       that leverage PIV authentication such as Integrated Windows Authentication\n       (IWA), CA Site Minder, and others.\nThe lack of progress is due to the Internal Identity and Access Management program delaying\nthis work until Phase 3 of the program. Program officials also cited a lack of resources to change\nthe existing applications. This has prevented the IRS from reducing the number of identity stores\nthat are used by the applications. The greater number of identity stores increases the length of\ntime it takes system administrators to remove access for terminated users. This issue increases\nthe risk of unauthorized access to the applications.\n\nInadequate progress has been made to configure the Enterprise Remote Access\nProject to use SmartID Cards\nThe IIAM project has not made adequate progress to modify the Enterprise Remote Access\nProject, the IRS virtual private network, to use the SmartID cards for authentication. The virtual\nprivate network provides employees throughout the organization the capability to remotely log in\nto the network and access information technology resources such as e-mail and applications.\nEmployees use the virtual private network while working in remote locations such as the\nemployee\xe2\x80\x99s home, a taxpayer\xe2\x80\x99s office, or a hotel.\nAlthough developing SmartID card authentication for the virtual private network is required in\nthe IIAM project\xe2\x80\x99s tailoring plan, the IRS does not plan to begin deploying a solution until the\nsummer of 2012. Furthermore, the project team does not know when the effort will be\ncompleted or why this part of the project is delayed.\nThe lack of progress will result in employees using their passwords and grid cards to authenticate\nto the virtual private network for an indefinite period. Although grid cards are a form of\ntwo-factor authentication, this method is less secure and violates the mandate to use the SmartID\ncards for two-factor authentication.\n\nRecommendations\nRecommendation 1: Subsequent to completing security testing for the two-factor\nauthentication system, the Chief Technology Officer should direct IRS Labor Relations to notify\nthe National Treasury Employees Union and begin negotiating mandatory use of the SmartID\ncards.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation and stated the\n       solution is deployed as a component that is integrated into existing systems, and those\n       systems are evaluated in accordance with Cybersecurity policy. The Office of Labor\n\n                                                                                          Page 10\n\x0c                                Using SmartID Cards to Access\n                       Computer Systems Is Taking Longer Than Expected\n\n\n\n       Strategy and Negotiations will issue notice to the National Treasury Employees Union\n       and bargain as appropriate once the IRS has advised it that the processes and procedures\n       for two-factor authentication with consideration for misplaced or inoperative cards is\n       ready for implementation. The IRS also responded that security testing is not a condition\n       for mandatory use of the SmartID cards.\n       Office of Audit Comment: We disagree with the IRS\xe2\x80\x99s statement that security testing\n       is not a condition for mandatory use of the SmartID cards. The IRS\xe2\x80\x99s Security\n       Assessment and Authorization procedures require security testing when a significant\n       change is made to a major system. The IRS defined the RSSO as a major change and the\n       General Support System 32, which houses the RSSO components, is a major system.\n       The IRS should conduct the required security testing prior to requiring employees to use\n       the SmartID cards.\nRecommendation 2: The Assistant Chief Information Officer, Cybersecurity, should appoint\na certified project manager with the requisite training and experience to lead the IIAM project\nand provide sufficient full-time staffing and resources to the IIAM project.\n       Management\xe2\x80\x99s Response: The IRS agreed with the spirit and intent of this\n       recommendation. The IRS will appoint a qualified project manager and will provide the\n       necessary project resources to the IIAM project as documented in the IT Integrated\n       Release Plan.\nRecommendation 3: The Assistant Chief Information Officer, Cybersecurity, should direct\nthe IIAM project manager to select the most feasible method to implement two-factor\nauthentication for administrators and coordinate the activities needed to implement the interim\nand long-term solutions.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. By\n       July 2014, the Associate Chief Information Officer, Cybersecurity, will assign project\n       resources to determine if a viable solution for administrators using the SmartID card\n       exists. If no viable solution exists, the IRS will direct project resources to develop and\n       implement alternatives for an interim solution until a viable solution can be implemented.\n       Office of Audit Comment: The July 2014 completion date set by the IRS is not\n       timely. In its February 2011 memorandum, the Department of Homeland Security\n       required agencies to expedite the use of the SmartID cards for logical access and upgrade\n       existing logical access control systems to use the SmartID cards prior to using\n       development and technology funds to complete other activities. The IRS should\n       prioritize the efforts to implement two-factor authentication for administrators and set an\n       earlier completion date for its corrective actions.\nRecommendation 4: The Assistant Chief Information Officer, Cybersecurity, should direct\nthe IIAM project manager to prioritize and coordinate the work to establish the infrastructure\nneeded to PIV-enable applications.\n\n                                                                                          Page 11\n\x0c                                Using SmartID Cards to Access\n                       Computer Systems Is Taking Longer Than Expected\n\n\n\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       believes its current implementation, along with the work done to Active Directory, would\n       meet the Treasury Department definition of PIV-enabled infrastructure/applications. The\n       IRS will develop a plan to prioritize and coordinate the remaining work to establish the\n       infrastructure needed for PIV-enabled applications.\n       Office of Audit Comment: Developing a plan to implement this recommendation is\n       not sufficient. The IRS should place a higher priority on PIV-enabling IRS applications\n       and reducing the number of identity stores used by the applications.\nRecommendation 5: The Assistant Chief Information Officer, Cybersecurity, should direct\nthe IIAM project manager to coordinate and lead the activities to plan, develop, test, and deploy\ntwo-factor authentication using SmartID cards for logical access to the Enterprise Remote\nAccess Project.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. A solution\n       for remote access using the SmartID cards was developed and tested. Based on this\n       testing, the User and Network Services function is upgrading components of the network\n       infrastructure that are required to support the use of the SmartID cards for remote access.\n       The IRS set an October 2014 completion date for this recommendation.\n       Office of Audit Comment: We believe that October 2014 is not a timely deadline to\n       provide SmartID card authentication for employees working remotely. The IRS should\n       make its corrective actions a higher priority and set an earlier completion date.\n\nRequired Testing Was Not Conducted\nThe project team deployed the RSSO without performing the required testing to determine if the\nsystem is secure and functions as intended.\n\nSecurity testing was not conducted\nThe IIAM project team waived the Security Assessment and Authorization requirement in\nOctober 2009 based on advice from the Cybersecurity office. The Cybersecurity office advised\nthe project team that it could bypass the Security Assessment and Authorization process because\nthe process is not applicable to a commercial off-the-shelf software implementation as long as\nthe software is part of the IRS Enterprise Architecture. However, as presented in Appendix IV,\nthe two-factor authentication system includes several components in addition to the software.\nAt the end of our fieldwork, the IRS informed us it would perform an event-driven security\ncontrol assessment to assess the security controls in place for the RSSO and to help determine if\nthe system is appropriately safeguarded. However, security testing should have been conducted\nprior to system deployment to provide assurance that security risks and vulnerabilities are\nidentified and mitigated.\n\n\n                                                                                          Page 12\n\x0c                                Using SmartID Cards to Access\n                       Computer Systems Is Taking Longer Than Expected\n\n\n\nOther types of required testing were also not conducted\nThe End of Test Completion report is a crucial ELC artifact that is required to summarize the\nactual testing results and identify the test approach, design, planning, and execution variances\nfrom the original test plan. The report should also provide the conclusions and recommendations\nfor the project as a whole. These results should then be considered by the Security Services and\nPrivacy Executive Steering Committee. The End of Test Completion report should address the\nfollowing types of testing:\n   \xef\x82\xb7   Integration \xe2\x80\x93 The purpose of integration testing is to verify functional, performance, and\n       reliability requirements placed on major design items. Test cases are constructed to test\n       that all components interact.\xc2\xa0\n   \xef\x82\xb7   Application \xe2\x80\x93 Application testing deals with tests for the entire application. This is\n       driven by the scenarios from the analysis team. Application limits and features are tested.\n       The application must successfully execute all scenarios before it is ready for general use.\n   \xef\x82\xb7   Infrastructure \xe2\x80\x93 Infrastructure testing helps determine how well the network and\n       infrastructure cope with change, specifically in relation to performance, availability,\n       security, and scalability.\n   \xef\x82\xb7   Capacity \xe2\x80\x93 Capacity testing occurs when you simulate a surge in the number of users,\n       stressing an application\xe2\x80\x99s hardware infrastructure.\n   \xef\x82\xb7   Performance \xe2\x80\x93 Performance testing is an assessment that requires an examinee to\n       actually perform a task or activity, rather than simply answering questions referring to\n       specific parts. The purpose is to ensure greater fidelity to what is being tested.\nThe integration, infrastructure, capacity, and performance testing for the RSSO were not\naddressed in the End of Test Completion report, and we found no evidence this testing was\nconducted. The system to authenticate employees to the network using their SmartID cards was\nnot tested.\nSeveral sections of the End of Test Completion report were missing, such as the detailed test\nresults and defect summary sections. Other sections, such as the executive summary and\nconclusions and recommendations, contained default wording from the template, indicating the\nreport was not tailored to the IIAM project. In addition, the report was not approved by the\nrequired officials, such as the preparer, project lead, test program office coach, senior test\nspecialist, and test program office manager.\nThe improper waiving of testing and deficiencies in the End of Test Completion report are due to\ninadequate project oversight and the Cybersecurity office\xe2\x80\x99s opinion that the RSSO was merely a\ncommercial off-the-shelf software implementation. The IIAM project team also cited the\nsuccessful pilot that ended in March 2010 as justification for not conducting the testing.\nHowever, the pilot was conducted primarily to test the ActivClient middleware and the\n\n\n                                                                                           Page 13\n\x0c                                 Using SmartID Cards to Access\n                        Computer Systems Is Taking Longer Than Expected\n\n\n\nPasslogix v-GO SSO software. Users were given the option of using their SmartID cards to\nauthenticate to the network, but we saw no evidence this authentication system was tested.\nTesting was also conducted after the pilot, from December 2011 to May 2012, but this testing\nfocused only on employees installing the Oracle ESSO software on their workstations and using\ntheir SmartID cards to access and use of the Oracle ESSO software. This post-pilot testing by\n24 employees did not include testing to evaluate the use of SmartID cards to authenticate to the\nnetwork.\nWithout performing the required testing, the IRS does not have adequate assurance that the\nsystem will operate as intended and that risks have been identified and mitigated.\n\nKey Enterprise Life Cycle Artifacts and Processes Were Not\nCompleted\nAll IRS projects are required to follow the ELC. The ELC is the approach used to manage and\nimplement business change through information systems initiatives, and it provides the artifacts\nand processes needed to accomplish business change in a consistent and repeatable manner. The\noverall objective of the ELC is to enhance chances for success by reducing risk and ensuring\ncompliance with internal and external standards and mandates.\n\nTwo key artifacts were not completed and two artifacts were improperly waived\nSystem Deployment Plan \xe2\x80\x93 The System Deployment Plan is required to define the detailed set of\ndeployment activities that must be completed to deploy the IIAM components into the operating\nenvironment. It should include the dependencies, roles and responsibilities, and deployment\nschedule. However, these details were not included in this artifact. The required comprehensive\nlist of deployment activities and the start and end dates for the activities were missing. The\nSystem Deployment Plan included details only for the pilot and was not updated after the pilot\nwas completed. An example of a crucial missing activity is the communication packet that must\nbe sent to employees. The communication packet advises employees on how to install the\nsoftware and what to do in the event of technical difficulties; it also contains the security policies\nregarding the new two-factor authentication system. These details were not included in the\nSystem Deployment Plan. In addition, five of the six officials required to review and approve\nthis artifact did not sign the document.\nTransition Management Plan \xe2\x80\x93 The Transition Management Plan should provide the activities\nto ensure a smooth transition from the developing to the receiving organization that will maintain\nand support the new system. Readiness assessment workshops must be conducted, and the\nresults should be documented in the Transition Management Plan.\n\n\n\n\n                                                                                             Page 14\n\x0c                                Using SmartID Cards to Access\n                       Computer Systems Is Taking Longer Than Expected\n\n\n\nThe following questions should be answered in this artifact.\n   1. How are business processes and procedures impacted?\n   2. Will you have enough staff when the system is delivered?\n   3. Does your staff need additional skills?\nWe found no evidence that the readiness assessment workshops were conducted, and the\nTransition Management Plan lacked the required details. In addition, the document contained\nforward-looking statements, indicating it was not updated after the Design (Milestone 3) phase.\nExamples include \xe2\x80\x9cThe SmartID card usage transition impact to the IRS receiving organization\nwill be assessed in Milestone 4b\xe2\x80\x9d and \xe2\x80\x9cCross organization gaps will be updated for any readiness\ngaps that may be uncovered during the readiness assessment workshops.\xe2\x80\x9d\nIn addition to the improper completion of the System Deployment Plan and Transition\nManagement Plan, the project team improperly waived two artifacts, the Functional\nConfiguration Audit and the Physical Configuration Audit.\nFunctional Configuration Audit \xe2\x80\x93 The Functional Configuration Audit is required to evaluate\nthe developed system to determine how well the requirements have been met. The activities\ninclude:\n   \xef\x82\xb7   Witnessing test execution or examining the test report to ensure the system functionality\n       matches its requirements.\n   \xef\x82\xb7   Verifying the accuracy of the Requirements Traceability Matrix.\n   \xef\x82\xb7   Tracing the baselined requirements to test cases.\nPhysical Configuration Audit \xe2\x80\x93 The Physical Configuration Audit is required to evaluate the\ntechnical documentation against the system, as built, to confirm the documentation\xe2\x80\x99s\neffectiveness for maintenance, support, and operation.\nThe project team waived the Functional Configuration Audit and Physical Configuration Audit\nartifacts and documented this risk in the Item Tracking Reporting and Change Control System,\njustifying the decision as a low risk. The project team also justified its decision by citing the\ncompletion of the RSSO pilot. However, as previously stated in this report, the pilot ended in\nMarch 2010, more than two years prior to deployment of the RSSO, and did not require\nemployees to log in to the IRS network using the SmartID cards.\nThe improper completion and waiver of the artifacts is due to the IRS not appointing a project\nmanager with the requisite training and experience to oversee and manage the numerous and\ncomplex IIAM project activities. The effects could be felt over the next two years as the IRS\nattempts to deploy, maintain, and support the two-factor authentication system. The inadequate\nSystem Deployment Plan could affect deployment and cause further delays. The inadequate\nTransition Management Plan could prevent a smooth transition to the receiving organizations\n\n                                                                                           Page 15\n\x0c                                Using SmartID Cards to Access\n                       Computer Systems Is Taking Longer Than Expected\n\n\n\nresponsible for maintaining and supporting the new two-factor authentication processes. Lastly,\nby not completing the Functional Configuration Audit and the Physical Configuration Audit\nartifacts, the IRS does not have adequate assurance that the two-factor authentication system\nmeets all the requirements and will operate as intended when employees begin using their\nSmartID cards to access the network, applications, and virtual private network.\n\nSome key processes in the Milestone Readiness Reviews were not properly\nconducted\nThe Milestone Readiness Review (MRR) is a significant ELC process to determine if the project\nis in compliance with ELC requirements and ready to begin the next phase of work. The\nreviewing organization makes a recommendation to the project\xe2\x80\x99s Executive Steering Committee\non whether the project should be allowed to exit its current milestone and advance to the next\nphase of work. For the IIAM project, the ELC coach conducted the MRRs. The MRR process\nrequires the coach to verify that process owners and stakeholders approved the artifacts listed in\nthe project\xe2\x80\x99s tailoring plan. This process is crucial because the ELC coach does not have the\ntechnical expertise to review the artifacts. The ELC coach is also required to validate that the\nproject team conducted the in-depth ELC reviews, such as the Customer Technical Reviews and\nLife Cycle Stage Reviews, that are listed in the tailoring plan. To perform this process, the ELC\ncoach must again rely on the process owners and stakeholders to conduct these in-depth reviews\nand raise concerns. The ELC coach should raise concerns if the artifacts are not approved or the\nin-depth reviews are not conducted.\nKey artifacts were not approved by the required officials\nThe Business System Requirements Report, Business System Concept Report, and Business\nSystem Architecture Report are key artifacts required to be completed in the Domain\nArchitecture (Milestone 2) phase of the project. However, these artifacts were not approved by\nthe required officials, each contained proposed comments and changes that were not addressed,\nand the ELC coach did not raise a concern during the MRR. Examples include:\n   \xef\x82\xb7   The Business System Requirements Report was not approved by the HSPD-12 Program\n       Manager or the Requirements and Demand Management Program Manager. Edits were\n       proposed to the capability requirements section, but the project team did not address\n       them. The capability requirements are the highest level requirements associated with the\n       project.\n   \xef\x82\xb7   The Business System Concept Report was missing the same approvals as the Business\n       System Requirements Report. Comments were made about the key factors that will\n       contribute to the overall success of the project. However, these comments were not\n       addressed in the document.\n   \xef\x82\xb7   The Business System Architecture Report was missing approvals by the: 1) Internal\n       Identity and Access Management Chief Architect, 2) HSPD-12 Program Manager, and\n\n                                                                                          Page 16\n\x0c                                Using SmartID Cards to Access\n                       Computer Systems Is Taking Longer Than Expected\n\n\n\n       3) Executive Director of Enterprise Architecture. Changes were proposed to the privacy\n       requirements section but were not accepted or addressed by the project team.\nDuring the Design (Milestone 3) phase of the project, the Design Specification Report also\nlacked the required signatures of the three approving officials. This artifact also contained\ncomments that were not addressed by the project team. Examples include comments and edits to\nthe assumptions and constraints of the project and the business processes.\nThe ELC coach informed us that he saw the required approvals in e-mail messages but in\nCalendar Year 2009, it was difficult to get approving officials to electronically sign/approve the\nartifacts. However, we did not see the required approvals for these documents.\nWe believe these key artifacts were not properly completed and approved, and the MRR process\nto detect this deficiency was not effective. When key artifacts are not properly completed and\napproved, the success of the project is jeopardized. Specifically, the system might not operate as\nintended and additional delays or problems with the deployment could surface.\nThe Customer Technical Review and Life Cycle Stage Review for the Integration Test and\nEvaluation were not conducted\nThe Integration Test and Evaluation is a significant artifact required in the IIAM project\xe2\x80\x99s\nSystem Development (Milestone 4b) phase. The purpose of the artifact is to combine all\nindividually developed components into a fully tested release and ensure applicable system tests\nare completed. The ELC tailoring plan for the project requires an in-depth Customer Technical\nReview and Life Cycle Stage Review be performed on the Integration Test and Evaluation.\nHowever, this artifact was not completed, the in-depth reviews were not performed, and the ELC\ncoach did not raise a concern during the MRR.\nThe ELC coach did not take exception to the lack of a Customer Technical Review or a Life\nCycle Stage Review and recommended the project be approved to exit its Milestone 4b phase.\nHe stated that a Customer Technical Review was not required to exit Milestone 4b and a Life\nCycle Stage Review is recommended but not always required. We disagree and believe the\nIIAM project team should have completed these in-depth reviews that are required by the\nproject\xe2\x80\x99s tailoring plan.\nBy not verifying project artifacts were approved and validating that all the required reviews were\nperformed, the project was allowed to exit milestones without completing the required work.\nThe IRS does not have adequate assurance that the two-factor authentication system will operate\nas intended when employees attempt to use their SmartID cards to access the IRS\xe2\x80\x99s network and\napplications. Undetected security vulnerabilities may also surface once the IRS begins to roll out\ntwo-factor authentication to employees.\n\n\n\n\n                                                                                           Page 17\n\x0c                                Using SmartID Cards to Access\n                       Computer Systems Is Taking Longer Than Expected\n\n\n\nRecommendations\nRecommendation 6: To ensure security risks and vulnerabilities are identified and mitigated,\nthe Chief Technology Officer should direct the Cybersecurity organization to ensure the\nevent-driven security control assessment for the General Support System 32 is completed by\nDecember 30, 2012.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n       Associate Chief Information Officer, Cybersecurity, will ensure an event-driven security\n       control assessment is performed by December 30, 2012.\nRecommendation 7: The Associate Chief Information Officer, Cybersecurity, should direct\nthe project manager to coordinate with the Applications Development Enterprise Systems\nTesting staff to ensure all required testing is completed, complete the End of Test Completion\nreport, and present the test results to the Security Services and Privacy Executive Steering\nCommittee by December 30, 2012.\n       Management\xe2\x80\x99s Response: The IRS disagreed with this recommendation and stated\n       that testing was completed in accordance with guidance established by the ELC Project\n       Management Office. The IRS stated that the RSSO was deployed to users\n       in 2010 to provide feedback to the project team on any operational issues. In addition,\n       the RSSO deployment to all IRS employees is already underway, with approximately\n       13,000 users already activated. The IRS also stated that additional testing is not\n       necessary and the deployment status and results will be shared with the Security Services\n       and Privacy Executive Steering Committee.\n       Office of Audit Comment: Our audit tests determined that the Oracle ESSO software\n       was tested, but the more significant part of the RSSO, which is the capability that will\n       allow employees to use SmartID cards to authenticate to the IRS network, was not tested.\n       We examined pilot test data provided by the IIAM project team as well as all testing\n       documented within the End of Testing Completion Report but could not find evidence\n       that security, integration, capacity, or performance testing was conducted for this crucial\n       part of the RSSO.\nRecommendation 8: To ensure MRRs are properly completed, the Associate Chief\nInformation Officer, Strategy and Planning, should direct the ELC office to validate that required\nELC reviews such as Customer Technical Reviews and Life Cycle Stage Reviews are properly\nconducted and all artifacts are finalized and approved by the required officials listed within the\nartifacts.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation and stated the\n       ELC Office should validate that the required ELC reviews, such as the Customer\n       Technical Reviews and the Life Cycle Stage Reviews, are properly conducted following\n       the procedures. The IRS also agreed that the ELC Office should ensure that all the\n\n                                                                                          Page 18\n\x0c                                Using SmartID Cards to Access\n                       Computer Systems Is Taking Longer Than Expected\n\n\n\n       signatures designated in the artifact\xe2\x80\x99s template are provided. Lastly, the IRS stated it is\n       currently updating the above ELC procedures to strengthen and clarify responsibilities.\nRecommendation 9: The Associate Chief Information Officer, Cybersecurity, should direct\nthe project manager to conduct the: 1) Functional Configuration Audit, 2) Physical\nConfiguration Audit, and 3) Life Cycle Stage Review for the Integration Test and Evaluation.\n       Management\xe2\x80\x99s Response: The IRS disagreed with this recommendation. The IRS\n       stated that the deployment of RSSO is already underway, with approximately\n       13,000 users already activated; therefore, additional efforts related to preparing for the\n       Integration Test and Evaluation are not needed. The IRS stated that testing was\n       completed as established by the ELC Program Management Office.\n       Office of Audit Comment: The IRS did not conduct the required testing for the most\n       significant part of the RSSO, which is the new system employees will use with their\n       SmartID cards to authenticate to the IRS network. The Integration Test and Evaluation is\n       a significant ELC artifact that should be completed to ensure all applicable system tests\n       were conducted. The Functional Configuration audit was also required to be completed\n       to evaluate the developed system and determine how well the requirements have been\n       met. Lastly, the Physical Configuration Audit was required to be completed to evaluate\n       the technical documentation against the system, as built, to confirm the documentation\xe2\x80\x99s\n       effectiveness for maintenance, support, and operation.\n\n\n\n\n                                                                                            Page 19\n\x0c                                       Using SmartID Cards to Access\n                              Computer Systems Is Taking Longer Than Expected\n\n\n\n                                                                                      Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nOur overall objective was to evaluate the implementation and security of the IRS\xe2\x80\x99s two-factor\nauthentication for logical access.1 To accomplish our objective, we:\nI.         Assessed the IRS\xe2\x80\x99s implementation of the SmartID two-factor authentication system for\n           logical access to evaluate the progress and determine whether the system meets required\n           security standards.\n           A. Reviewed the Treasury Department\xe2\x80\x99s HSPD-12 implementation policy to determine\n              whether it meets the standards specified by the Department of Homeland Security and\n              whether IRS implementation efforts related to logical access align with the policy.\n              The policy was required to be developed and issued by March 31, 2011.\n           B. Determined if the two-factor logical access system is secure.\n               1. Evaluated policies, procedures, and security documentation related to the security\n                  of the SmartID card logical access authentication to identify required security\n                  controls.\n               2. Obtained and reviewed Security Assessment and Authorization documentation for\n                  the General Support System that hosts the SmartID card two-factor authentication\n                  for logical access to determine if two-factor authentication was adequately\n                  addressed. (Security Assessment and Authorization was performed for the\n                  General Support System but not for the SmartID card two-factor authentication\n                  for logical access.)\n               3. Interviewed the infrastructure engineer who designed the process for logical\n                  access authentication to determine the design and security controls that are\n                  planned for two-factor authentication.\n               4. Validated and assessed any security vulnerabilities identified in Steps 1\xe2\x80\x933.\n               5. Determined whether the serial numbers for SmartID card certificates, which are\n                  passed by the Bureau of the Public Debt\xe2\x80\x99s Certificate Authority server to the IRS\n                  authentication server, should be encrypted.\n\n\n\n\n1\n    See Appendix VII for a glossary of terms used throughout this report.\n\n                                                                                             Page 20\n\x0c                              Using SmartID Cards to Access\n                     Computer Systems Is Taking Longer Than Expected\n\n\n\n      C. Determined whether the two-factor authentication for logical access is working as\n         intended and identified the cause and effect of delays.\n         1. Determined the number of employees who are currently using the SmartID cards\n            for logical access and the schedule for full implementation.\n         2. Determined the number of logical access systems (legacy and modernized\n            systems) that have been upgraded to use the SmartID cards in accordance with\n            National Institute of Standards and Technology guidelines and reviewed the\n            upgrade schedule for noncompliant systems. (For modernized systems, we\n            determined whether the Accounts Management Services system and the\n            Modernized e-File system have been upgraded.)\n         3. Interviewed IIAM project leaders or appropriate officials to determine if the\n            two-factor authentication for logical access is working as intended and includes\n            key Federal Information Processing Standard requirements and components.\n         4. Analyzed the deployment plan for the SmartID cards to identify the time period\n            for using SmartID cards for logical access, and determined whether the time\n            period has been rebaselined.\n         5. Determined when stakeholders were initially involved in the IIAM project by\n            interviewing IIAM members and reviewing ELC Milestone 1 deliverables and\n            processes such as the Project Kickoff meeting, Life Cycle Stage Reviews, and\n            MRRs. We reviewed documentation that shows when and how often the key\n            stakeholders were engaged in the project.\n         6. Reviewed the System Deployment Plan to determine the activities that should\n            have been completed to mitigate the delays and avoid wasted resources.\n         7. Determined whether software licenses, infrastructure, electronic certificates, or\n            contractor services acquired for the full deployment of SmartID card usage in\n            Calendar Year 2010 resulted in wasted funds.\nII.   Determined whether key ELC processes and deliverables were followed and completed\n      for the SmartID card two-factor authentication project and whether any deviations\n      resulted in delays or inefficient use of resources.\n      A. Determined the ELC path the SmartID card for logical access project followed and\n         whether the project team completed the required key deliverables, processes, and\n         Milestone Exit Reviews through the current milestone.\n      B. Obtained and analyzed testing documentation for the SmartID card two-factor\n         authentication initiative to determine if security testing is sufficient.\n\n\n\n\n                                                                                        Page 21\n\x0c                                   Using SmartID Cards to Access\n                          Computer Systems Is Taking Longer Than Expected\n\n\n\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the Federal Information Processing\nStandard 2012 and related Internal Revenue Manual guidelines and the processes followed by the\nIRS to implement SmartID card use for computer access. We evaluated these controls by\nconducting interviews and meetings with management and staff, observing operations analysts\non site, and reviewing documentation such as standard operating procedures.\n\n\n\n\n2\n National Institute of Standards and Technology, FIPS PUB 201-1, Federal Information Processing Standards\nPublication: Personal Identity Verification of Federal Employees and Contractors (Mar. 2006).\n\n                                                                                                     Page 22\n\x0c                               Using SmartID Cards to Access\n                      Computer Systems Is Taking Longer Than Expected\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nW. Allen Gray, Audit Manager\nCari D. Fogle, Lead Auditor\nCharles O. Ekunwe, Senior Auditor\nBret Hunter, Senior Auditor\nSamuel C. Mettauer, Information Technology Specialist\nDaniel Oakley, Information Technology Specialist\n\n\n\n\n                                                                                     Page 23\n\x0c                              Using SmartID Cards to Access\n                     Computer Systems Is Taking Longer Than Expected\n\n\n\n                                                                            Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nDirector, Office of Research, Analysis and Statistics RAS\nChief, Criminal Investigations SE:CI\nDirector, Statistics of Income RAS:S\nHuman Capital Officer OS:HC\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nAssociate Chief Information Officer, Enterprise Operations OS:CTO:EO\nAssociate Chief Information Officer, Enterprise Services OS:CTO:ES\nAssociate Chief Information Officer, Strategy and Planning OS:CTO:SP\nAssociate Chief Information Officer, User and Network Services OS:CTO:UNS\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                                  Page 24\n\x0c                                  Using SmartID Cards to Access\n                         Computer Systems Is Taking Longer Than Expected\n\n\n\n                                                                                          Appendix IV\n\n                 Authentication to Network Diagram\n\n\n\n\n    Source: Interviews conducted and documents reviewed by the Treasury Inspector General for Tax\n    Administration.\n.\n\n\n\n\n                                                                                                    Page 25\n\x0c                                Using SmartID Cards to Access\n                       Computer Systems Is Taking Longer Than Expected\n\n\n\n                                                                                        Appendix V\n\n                     Diagram of Oracle Enterprise\n                   Single Sign-On Manager Software\n\n\n\n\nSource: Interviews conducted and documents reviewed by the Treasury Inspector General for Tax\nAdministration.\n\n\n\n\n                                                                                                Page 26\n\x0c                             Using SmartID Cards to Access\n                    Computer Systems Is Taking Longer Than Expected\n\n\n\n                                                                                    Appendix VI\n\n                  Delays in Implementing\n              Reduced SmartID Sign-On (RSSO)\n\n\n\n\nSource: Interviews conducted and documents reviewed by the Treasury Inspector General for Tax\nAdministration.\n\n\n\n\n                                                                                                Page 27\n\x0c                                 Using SmartID Cards to Access\n                        Computer Systems Is Taking Longer Than Expected\n\n\n\n                                                                               Appendix VII\n\n                               Glossary of Terms\n\n              Term                                         Definition\nActivClient                     A commercial off-the-shelf product sold by the ActivIdentity\n                                Company that allows workstations to read a user\xe2\x80\x99s SmartID\n                                card for authentication.\nActive Directory Leaf           Active Directory provides a central location for network\n                                administration and security. It authenticates and authorizes all\n                                users and computers in a Windows network. The leaf object\n                                stores users\xe2\x80\x99 data.\nAdministrator Account           An account that has elevated privileges used for managing the\n                                system.\nArtifact                        An artifact is the tangible result of an activity or task\n                                performed during the life cycle of a project. There are\n                                different categories of artifacts: solution artifacts and\n                                management artifacts.\nAuthentication                  The process in which users are granted access to a system\n                                based on their identity.\nBusiness System Architecture    Documents components of the solution, architecture of how\nReport                          the components fit together and interact, and the plan for\n                                implementing the solution over time in the business area.\nBusiness System Concept         Documents the future vision for the business area and a\nReport                          conceptual system solution to support the vision.\nBusiness System Requirement     Documents all the requirements for the solution.\nReport\nCA Site Minder                  A web access management product that ties security together\n                                and offers single sign-on, the process by which a user logs in\n                                only once to a web resource and then is automatically logged\n                                in to all related resources.\nCalendar Year                   The 12-consecutive month period ending on December 31.\n\n\n\n\n                                                                                            Page 28\n\x0c                               Using SmartID Cards to Access\n                      Computer Systems Is Taking Longer Than Expected\n\n\n\n\nCommercial Off-the-Shelf      An adjective that describes software or hardware products that\n                              are ready-made and available for sale to the general public.\nConfiguration Item            Fundamental structural unit of a configuration management\n                              system. Examples include individual requirements\n                              documents, software, models, and plans. The configuration\n                              management system oversees the life of the configuration item\n                              through a combination of process and tools by implementing\n                              and enabling the fundamental elements of identification,\n                              change management, status accounting, and audits. The\n                              objective of this system is to avoid the introduction of errors\n                              related to lack of testing as well as incompatibilities with other\n                              configuration items.\nCustomer Technical Review     A review performed by stakeholders on a work product, or\n                              small group of closely related work products produced by a\n                              project team, with the purpose of facilitating approval of the\n                              work product by ensuring early stakeholder feedback as well\n                              as early identification and resolution of issues and actions.\nDesign Specification Report   Documents logical design of the data and application\n                              perspectives.\nEncryption                    The process of transforming information (referred to as\n                              plaintext) using an algorithm (called a cipher) to make it\n                              unreadable to anyone except those possessing special\n                              knowledge, usually referred to as a key.\nEnd of Test Completion        Summarizes results of tests conducted, including conditions\nReport                        passed and failed.\nEnterprise Architecture       A strategic information asset base which defines the mission,\n                              the information and technologies necessary to perform the\n                              mission, and the transitional processes for implementing new\n                              technologies in response to the changing needs of the mission.\nEnterprise Life Cycle (ECL)   A standard approach to manage and implement business\n                              change through information systems initiatives. The ELC\n                              provides the direction, processes, tools, and assets necessary to\n                              accomplish business change in a consistent and repeatable\n                              manner.\n\n\n\n\n                                                                                        Page 29\n\x0c                                Using SmartID Cards to Access\n                       Computer Systems Is Taking Longer Than Expected\n\n\n\n\nEvent-Driven Control          The process by which security controls are assessed following\nAssessment                    changes to an information technology system. An Event-\n                              Driven Control Assessment only applies to systems with an\n                              existing security authorization. It does not apply to new\n                              systems without a security authorization, nor does it apply to\n                              systems whose security authorization is expiring. These\n                              systems will still follow the current IRS Security Assessment\n                              and Authorization process.\nFiling Season                 The period from January 1 through mid-April when most\n                              individual income tax returns are filed.\nFiscal Year                   A 12-consecutive-month period ending on the last day of any\n                              month, except December. The Federal Government\xe2\x80\x99s fiscal\n                              year begins on October 1 and ends on September 30.\nFunctional Configuration      An examination of test documentation and evaluation data to\nAudit                         verify that if testing of a developed product is successful, then\n                              the product is acceptable (i.e., \xe2\x80\x9cgood enough\xe2\x80\x9d), as determined\n                              by the Subject Matter Expert and the witnessing of the testing\n                              process or reviewing test results documentation to verify that\n                              the configuration item has achieved the functionality specified\n                              in the relevant configuration.\nGeneral Support System 32     An interconnected set of information resources under the same\n                              direct management control that shares common functionality.\n                              It normally includes hardware, software, information, data,\n                              applications, communications, and people. General System\n                              Support 32 relates to IRS workstations and support.\nGrid Card                     A method of identifying users in which the user is asked to\n                              input a series of characters based on a preregistered pattern on\n                              a grid (that the user knows) and a grid of pseudo-random\n                              characters generated by the authenticator. This method results\n                              in a different series of characters each time the user\n                              authenticates.\nIdentity Store                A system that maintains identity information. An identity\n                              store is often an authoritative source for some of the\n                              information it contains.\n\n\n\n\n                                                                                       Page 30\n\x0c                                Using SmartID Cards to Access\n                       Computer Systems Is Taking Longer Than Expected\n\n\n\n\nIntegrated Windows\xc2\xae           A method of authenticating users to other systems in which\nAuthentication                Integrated Windows authentication does not initially prompt\n                              for a user name and password. The current Windows user\n                              information on the client is used for Integrated Windows\n                              Authentication.\nIntegration Test and          The purpose is to combine all individually developed\nEvaluation                    components into a fully tested release.\nItem Tracking Reporting and   An information tracking system used to track and report on\nControl System                issues and action items in the modernization effort.\nLife Cycle Stage Review       Provides a broad, horizontal look across the technical and\n                              business aspects of the solution being developed to verify that\n                              it is appropriately constituted (i.e., complete, consistent, and\n                              correct) given its point in the life cycle and to approve the\n                              solution for baselining.\nLogical Access                Controls used to determine the electronic information and\n                              systems that users and other systems may access and the\n                              actions that may be performed to the information accessed.\nMiddleware                    Software that functions at an intermediate layer between\n                              applications and operating system or database management\n                              system or between client and server.\nMilestone Exit Review         One of the features in the Governance Layer of the ELC\n                              Framework. Milestone Exit Reviews are project reviews\n                              performed by IRS executives when a project has reached a life\n                              cycle milestone to determine if the project will be allowed to\n                              continue on to the next milestone and, if necessary, to approve\n                              the required funding.\nMilestone Readiness Review    A project review performed to determine if the project is ready\n                              to begin the milestone exit process. Its objectives are to help\n                              eliminate last minute project delays and rework often\n                              experienced during Milestone Exit Reviews and to streamline\n                              decisions made by the project\xe2\x80\x99s governance organization. The\n                              Milestone Readiness Review uses existing information to\n                              determine whether or not the project team has satisfied\n                              conditions outlined in the tailoring plan.\n\n\n\n\n                                                                                       Page 31\n\x0c                                 Using SmartID Cards to Access\n                        Computer Systems Is Taking Longer Than Expected\n\n\n\n\nNational Institute of Standards   Under the Department of Commerce, this organization is\nand Technology                    responsible for developing standards and guidelines for\n                                  providing adequate information security for all Federal\n                                  Government agency operations and assets.\nOperating System                  An operating system is a set of software that manages\n                                  computer hardware resources and provides common services\n                                  for computer programs. The operating system is a vital\n                                  component of the system software in a computer system.\n                                  Application programs require an operating system to function.\nPhysical Configuration Audit      An examination of the technical documentation for designated\n                                  configuration items to verify that the technical documentation,\n                                  such as requirements, drawings, and software code listings,\n                                  which defines the configuration items conforms to the\n                                  \xe2\x80\x9cAs-Built\xe2\x80\x9d configuration items.\nRequirements Traceability         A tool showing the relationship between test requirement and\nMatrix                            test cases.\nScalability                       Scalability is the ability of a system, network, or process to\n                                  handle a growing amount of work in a capable manner or its\n                                  ability to be enlarged to accommodate that growth.\nSecure Hash Algorithm             The Secure Hash Algorithm is one of a number of\n                                  cryptographic hash functions published by the National\n                                  Institute of Standards and Technology as a U.S. Federal\n                                  Information Processing Standard.\nService Patch                     A fix to software program. A patch is an actual piece of\n                                  object code that is inserted into (patched into) an executable\n                                  program. Patches typically are available as downloads over\n                                  the Internet.\nSubject Matter Expert             A subject matter expert or domain expert is a person who is an\n                                  expert in a particular area or topic.\nSystem                            A discrete set of information resources organized for the\n                                  collection, processing, maintenance, use, sharing,\n                                  dissemination, or disposition of information. A system\n                                  normally includes hardware, software, information, data,\n                                  applications, communications, and people.\nSystem Deployment Plan            Presents the detailed plan for deploying a solution at one or\n                                  more sites.\n\n\n                                                                                           Page 32\n\x0c                              Using SmartID Cards to Access\n                     Computer Systems Is Taking Longer Than Expected\n\n\n\n\nTailoring Plan               Tailoring is modification of standard provisions of the IRS\xe2\x80\x99s\n                             ELC to meet the unique needs of a specific project. The\n                             project tailoring plan documents all tailoring decisions,\n                             explains the nature of all modifications, and provides\n                             justification for each change. The plan includes initial\n                             tailoring performed for the project as a whole as well as\n                             tailoring refinements made to address project releases and\n                             individual life cycle phases. The published tailoring plan\n                             documents the engineering path, work products, and reviews\n                             that a project will follow during its development life cycle.\nTransition Management Plan   Presents a plan for ensuring post-deployment readiness for\n                             affected end-user and operations and maintenance\n                             organizations.\nTwo-Factor Authentication    An approach to authentication which requires the presentation\n                             of two or more of the three authentication factors: something\n                             the user knows (a personal identification number), something\n                             the user has (a SmartID card), and something the user is (a\n                             fingerprint).\nVirtual Private Network      Technology for using the Internet to connect computers to\n                             isolated remote computer networks that would otherwise be\n                             inaccessible. A virtual private network provides security so\n                             that traffic sent through the virtual private network connection\n                             stays isolated from other computers.\n\n\n\n\n                                                                                     Page 33\n\x0c                Using SmartID Cards to Access\n       Computer Systems Is Taking Longer Than Expected\n\n\n\n                                               Appendix VIII\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 34\n\x0c         Using SmartID Cards to Access\nComputer Systems Is Taking Longer Than Expected\n\n\n\n\n                                                  Page 35\n\x0c         Using SmartID Cards to Access\nComputer Systems Is Taking Longer Than Expected\n\n\n\n\n                                                  Page 36\n\x0c         Using SmartID Cards to Access\nComputer Systems Is Taking Longer Than Expected\n\n\n\n\n                                                  Page 37\n\x0c         Using SmartID Cards to Access\nComputer Systems Is Taking Longer Than Expected\n\n\n\n\n                                                  Page 38\n\x0c         Using SmartID Cards to Access\nComputer Systems Is Taking Longer Than Expected\n\n\n\n\n                                                  Page 39\n\x0c'